Commit bbbf2d40 authored by moodler's avatar moodler
Browse files

ROLES AND PERMISSIONS - FIRST CHECK-IN

=======================================

WARNING:  DEV IS CURRENTLY VERY UNSTABLE.

This is a mega-checkin of the new Roles system.   A lot of changes have
been made in core and modules.

Currently there are a lot of rough edges and known problems.  We are
working hard on these .. .the reason for getting this into HEAD at this
stage is enable us to move faster (our branch was diverging from HEAD
too much).

Please keep an eye on http://docs.moodle.org/en/Roles for current status
and information for developers on how to use the new Roles system.
parent 394577c3
......@@ -117,6 +117,8 @@
}
}
}
// Delete the capabilities that were defined by this block
capabilities_cleanup('block/'.$block->name);
$a->block = $strblockname;
$a->directory = $CFG->dirroot.'/blocks/'.$block->name;
......
......@@ -7,7 +7,8 @@
if ($site = get_site()) { // If false then this is a new installation
require_login();
if (!isadmin()) {
$context = get_context_instance(CONTEXT_SYSTEM, SITEID);
if (!has_capability('moodle/site:config', $context->id)) {
error('Only the admin can use this page');
}
}
......@@ -23,7 +24,7 @@
if ($config = data_submitted($match)) {
if (!empty($USER->id)) { // Additional identity check
if (!empty($USER->id)) { // Additional identity check
if (!confirm_sesskey()) {
error(get_string('confirmsesskeybad', 'error'));
}
......
......@@ -4,8 +4,9 @@
require_login();
if (!isadmin()) {
error('Only admins can access this page');
$context = get_context_instance(CONTEXT_SYSTEM, SITEID);
if (!has_capability('moodle/site:config', $context->id)) {
error('Only the admin can use this page');
}
if (!$site = get_site()) {
......
......@@ -28,9 +28,8 @@
$confirmupgrade = optional_param('confirmupgrade', 0, PARAM_BOOL);
$agreelicence = optional_param('agreelicence',0, PARAM_BOOL);
/// check upgrade status first
upgrade_check_running("Upgrade already running, please wait!", 10);
#upgrade_check_running("Upgrade already running, please wait!", 10);
/// Check some PHP server settings
......@@ -79,6 +78,12 @@
$CFG->version = "";
}
/// Turn off time limits and try to flush everything all the time, sometimes upgrades can be slow.
@set_time_limit(0);
@ob_implicit_flush(true);
@ob_end_flush();
/// Check if the main tables have been installed yet or not.
if (! $tables = $db->Metatables() ) { // No tables yet at all.
......@@ -165,6 +170,12 @@
print_heading($strdatabasechecking);
$db->debug=true;
if (main_upgrade($CFG->version)) {
if (empty($CFG->rolesactive)) {
moodle_upgrade_roles_system_17();
}
if (!update_capabilities()) {
error('Had trouble upgrading the core capabilities for Roles');
}
$db->debug=false;
if (set_config("version", $version)) {
remove_dir($CFG->dataroot . '/cache', true); // flush cache
......@@ -240,6 +251,7 @@
redirect("config.php");
}
/// Find and check all main modules and load them up or upgrade them if necessary
upgrade_activity_modules("$CFG->wwwroot/$CFG->admin/index.php"); // Return here afterwards
......@@ -304,7 +316,10 @@
/// Check for valid admin user
require_login();
if (!isadmin()) {
$context = get_context_instance(CONTEXT_SYSTEM, SITEID);
if (!isadmin()) {
//if (!has_capability('moodle/site:config', $context->id)) {
error("You need to be an admin user to use this page.", "$CFG->wwwroot/login/index.php");
}
......@@ -416,6 +431,12 @@
get_string('addnewuser').'</a> - <span class="explanation">'.get_string('adminhelpaddnewuser').'</span></div>';
$userdata .= '<div class="adminlink"><a href="'.$CFG->wwwroot.'/'.$CFG->admin.'/uploaduser.php?sesskey='.$USER->sesskey.'">'.
get_string('uploadusers').'</a> - <span class="explanation">'.get_string('adminhelpuploadusers').'</span></div>';
$userdata .= '<div class="adminlink"><a href="roles/manage.php">'.
get_string('manageroles').'</a> - <span class="explanation">'.get_string('adminmanageroles').
' <img src="../pix/t/user.gif" height="11" width="11" alt="" /></span></div>';
$userdata .= '<div class="adminlink"><a href="roles/assign.php?contextid='.$context->id.'">'.
get_string('assignroles').'</a> - <span class="explanation">'.get_string('adminassignroles').
' <img src="../pix/t/user.gif" height="11" width="11" alt="" /></span></div>';
$table->data[] = array('<strong><a href="users.php">'.get_string('users').'</a></strong>', $userdata);
......@@ -423,17 +444,25 @@
'</a> - <span class="explanation">'.get_string('adminhelpcourses').'</span></div>';
$coursedata .= '<div class="adminlink"><a href="enrol.php?sesskey='.$USER->sesskey.'">'.get_string('enrolmentplugins').
'</a> - <span class="explanation">'.get_string('adminhelpenrolments').'</span></div>';
$coursedata .= '<div class="adminlink"><a href="../course/index.php?edit=off&amp;sesskey='.$USER->sesskey.'">'.
get_string('assignstudents').'</a> - <span class="explanation">'.get_string('adminhelpassignstudents').'</span></div>';
$coursedata .= '<div class="adminlink"><a href="../course/index.php?edit=on&amp;sesskey='.$USER->sesskey.'">'.
get_string('assignteachers').'</a> - <span class="explanation">'.get_string('adminhelpassignteachers').
' <img src="../pix/t/user.gif" height="11" width="11" alt="" /></span></div>';
$coursedata .= '<div class="adminlink"><a href="creators.php?sesskey='.$USER->sesskey.'">'.get_string('assigncreators').
'</a> - <span class="explanation">'.get_string('adminhelpassigncreators').'</span></div>';
$coursedata .= '<div class="adminlink"><a href="admin.php?sesskey='.$USER->sesskey.'">'.get_string('assignadmins').
'</a> - <span class="explanation">'.get_string('adminhelpassignadmins').'</span></div>';
$table->data[] = array('<strong><a href="courses.php">'.get_string('courses').'</a></strong>', $coursedata);
$table->data[] = array('<strong><a href="../files/index.php?id='.$site->id.'">'.get_string('sitefiles').'</a></strong>',
'<div class="explanation">'.get_string('adminhelpsitefiles').'</div>');
$table->data[] = array('<strong><a href="stickyblocks.php">'.get_string('stickyblocks','admin').'</a></strong>',
'<div class="explanation">'.get_string('adminhelpstickyblocks').'</div>');
$table->data[] = array('<strong><a href="report.php">'.get_string('reports').'</a></strong>',
'<div class="explanation">'.get_string('adminhelpreports').'</div>');
$testingdata = '<div class="adminlink"><a href="environment.php">'.get_string('environment', 'admin').
'</a> - <span class="explanation">'.get_string('adminhelpenvironment').'</span></div>';
$testingdata .= '<div class="adminlink"><a href="report/simpletest/index.php">'.get_string('simpletest', 'admin').
'</a> - <span class="explanation">'.get_string('adminhelpsimpletest').'</span></div>';
$table->data[] = array('<strong><a href="tests.php">'.get_string('tests','admin').'</a></strong>',
$testingdata);
$miscdata = '<div class="adminlink"><a href="../files/index.php?id='.$site->id.'">'.get_string('sitefiles').
'</a> - <span class="explanation">'.get_string('adminhelpsitefiles').'</span></div>';
......
......@@ -126,8 +126,10 @@
}
}
}
//rebuild_course_cache(); // Because things have changed
// Delete the capabilities that were defined by this module
capabilities_cleanup('mod/'.$module->name);
// rebuild_course_cache(); // Because things have changed
$coursesaffected = true;
$a->module = $strmodulename;
......
<form name="studentform" id="studentform" method="post" action="assign.php">
<input type="hidden" name="previoussearch" value="<?php echo $previoussearch ?>" />
<input type="hidden" name="sesskey" value="<?php echo sesskey() ?>" />
<input type="hidden" name="contextid" value="<?php echo $contextid ?>" />
<input type="hidden" name="roleid" value="<?php echo $roleid ?>" />
<table align="center" border="0" cellpadding="5" cellspacing="0">
<tr>
<td valign="top">
<?php
$a->count = count($contextusers);
$a->items = $strexistingusers;
print_string('counteditems', '', $a);
?>
</td>
<td></td>
<td valign="top">
<?php
$a->count = $usercount;
$a->items = $strpotentialusers;
print_string('counteditems', '', $a);
?>
</td>
</tr>
<tr>
<td valign="top">
<select name="removeselect[]" size="20" id="removeselect" multiple
onFocus="document.studentform.add.disabled=true;
document.studentform.remove.disabled=false;
document.studentform.addselect.selectedIndex=-1;" />
<?php
foreach ($contextusers as $contextuser) {
$fullname = fullname($contextuser, true);
echo "<option value=\"$contextuser->id\">".$fullname.", ".$student->email."</option>\n";
}
?>
</select></td>
<td valign="top">
<br />
<input name="add" type="submit" id="add" value="&larr;" />
<br />
<input name="remove" type="submit" id="remove" value="&rarr;" />
<br />
</td>
<td valign="top">
<select name="addselect[]" size="20" id="addselect" multiple
onFocus="document.studentform.add.disabled=false;
document.studentform.remove.disabled=true;
document.studentform.removeselect.selectedIndex=-1;">
<?php
if (!empty($searchusers)) {
echo "<optgroup label=\"$strsearchresults (" . count($searchusers) . ")\">\n";
foreach ($searchusers as $user) {
$fullname = fullname($user, true);
echo "<option value=\"$user->id\">".$fullname.", ".$user->email."</option>\n";
}
echo "</optgroup>\n";
}
else {
if ($usercount > MAX_USERS_PER_PAGE) {
echo '<optgroup label="'.get_string('toomanytoshow').'"><option></option></optgroup>'."\n"
.'<optgroup label="'.get_string('trysearching').'"><option></option></optgroup>'."\n";
}
else {
if ($usercount > 0) { //fix for bug#4455
foreach ($users as $user) {
$fullname = fullname($user, true);
echo "<option value=\"$user->id\">".$fullname.", ".$user->email."</option>\n";
}
}
}
}
?>
</select>
<br />
<input type="text" name="searchtext" size="30" value="<?php p($searchtext, true) ?>"
onFocus ="document.studentform.add.disabled=true;
document.studentform.remove.disabled=true;
document.studentform.removeselect.selectedIndex=-1;
document.studentform.addselect.selectedIndex=-1;"
onkeydown = "var keyCode = event.which ? event.which : event.keyCode;
if (keyCode == 13) {
document.studentform.previoussearch.value=1;
document.studentform.submit();
} " />
<input name="search" id="search" type="submit" value="<?php p($strsearch) ?>" />
<?php
if (!empty($searchusers)) {
echo '<input name="showall" id="showall" type="submit" value="'.$strshowall.'" />'."\n";
}
?>
</td>
</tr>
</table>
</form>
<?php // $Id$
// Script to assign students to courses
require_once("../../config.php");
define("MAX_USERS_PER_PAGE", 5000);
$contextid = required_param('contextid',PARAM_INT); // context id
$roleid = optional_param('roleid', 0, PARAM_INT); // required role id
$add = optional_param('add', 0, PARAM_BOOL);
$remove = optional_param('remove', 0, PARAM_BOOL);
$showall = optional_param('showall', 0, PARAM_BOOL);
$searchtext = optional_param('searchtext', '', PARAM_RAW); // search string
$previoussearch = optional_param('previoussearch', 0, PARAM_BOOL);
$hidden = optional_param('hidden', 0, PARAM_BOOL); // whether this assignment is hidden
$previoussearch = ($searchtext != '') or ($previoussearch) ? 1:0;
$timestart = optional_param('timestart', 0, PARAM_INT);
$timeend = optional_param('timened', 0, PARAM_INT);
if (! $site = get_site()) {
redirect("$CFG->wwwroot/$CFG->admin/index.php");
}
if (! $context = get_record("context", "id", $contextid)) {
error("Context ID was incorrect (can't find it)");
}
/* permission check to see whether this user can assign people to this role
* needs to be:
* 1) has the capability to assign
* 2) not in role_deny_grant
* end of permission checking
*/
/*
if ($course->metacourse) {
redirect("$CFG->wwwroot/course/importstudents.php?id=$course->id");
}
*/
require_login($course->id);
if (!isteacheredit($course->id)) {
error("You must be an editing teacher in this course, or an admin");
}
$strassignusers = get_string('assignusers');
$strpotentialusers = get_string('potentialusers');
$strexistingusers = get_string('existingusers');
$strsearch = get_string('search');
$strshowall = get_string('showall');
/*
if ($course && $course->id != SITEID) { // course header
print_header("$course->shortname: $strassignusers",
"$site->fullname",
"<a href=\"view.php?id=$course->id\">$course->shortname</a> -> $strassignusers");
} else { // site header
print_header("$site->shortname: $strassignusers",
"$site->fullname",
"$strassignusers");
}
*/
$straction = get_string('roleassignment');
$context = get_record('context', 'id', $contextid);
$currenttab = '';
$tabsmode = 'assign';
include_once('tabs.php');
/// Don't allow restricted teachers to even see this page (because it contains
/// a lot of email addresses and access to all student on the server
check_for_restricted_user($USER->username, "$CFG->wwwroot/course/view.php?id=$course->id");
/// Print a help notice about the need to use this page
if (!$frm = data_submitted()) {
/// A form was submitted so process the input
} else {
if ($add and !empty($frm->addselect) and confirm_sesskey()) {
//$timestart = ????
// time end = ????
$timemodified = time();
foreach ($frm->addselect as $adduser) {
$adduser = clean_param($adduser, PARAM_INT);
if (! role_assign($roleid, $adduser, 0, $contextid, $timestart, $timeend, $hidden)) {
error("Could not add user with id $adduser to this role!");
}
}
} else if ($remove and !empty($frm->removeselect) and confirm_sesskey()) {
foreach ($frm->removeselect as $removeuser) {
$removeuser = clean_param($removeuser, PARAM_INT);
if (! role_unassign($roleid, $removeuser, 0, $contextid)) {
error("Could not remove user with id $removeuser from this role!");
}
}
} else if ($showall) {
$searchtext = '';
$previoussearch = 0;
}
}
/// Get all existing students and teachers for this course.
$existinguserarray = array();
$SQL = "select u.* from {$CFG->prefix}role_assignments r, {$CFG->prefix}user u where contextid = $contextid and roleid = $roleid and u.id = r.userid"; // join now so that we can just use fullname() later
if (!$contextusers = get_records_sql($SQL)) {
$contextusers = array();
}
foreach ($contextusers as $contextuser) {
$existinguserarray[] = $contextuser->id;
}
$existinguserlist = implode(',', $existinguserarray);
unset($existinguserarray);
/// Get search results excluding any users already in this course
if (($searchtext != '') and $previoussearch) {
$searchusers = get_users(true, $searchtext, true, $existinguserlist, 'firstname ASC, lastname ASC',
'', '', 0, 99999, 'id, firstname, lastname, email');
$usercount = get_users(false, '', true, $existinguserlist);
}
/// If no search results then get potential students for this course excluding users already in course
if (empty($searchusers)) {
$usercount = get_users(false, '', true, $existinguserlist, 'firstname ASC, lastname ASC', '', '',
0, 99999, 'id, firstname, lastname, email') ;
$users = array();
if ($usercount <= MAX_USERS_PER_PAGE) {
$users = get_users(true, '', true, $existinguserlist, 'firstname ASC, lastname ASC', '', '',
0, 99999, 'id, firstname, lastname, email');
}
}
// this needs to check capability too
$role = get_records('role');
foreach ($role as $rolex) {
$options[$rolex->id] = $rolex->name;
}
// prints a form to swap roles
print ('<form name="rolesform" action="assign.php" method="post">');
print ('<div align="center">Current Context: '.print_context_name($contextid).'<br/>');
print ('<input type="hidden" name="contextid" value="'.$contextid.'">Select a Role: ');
choose_from_menu ($options, 'roleid', $roleid, 'choose', $script='rolesform.submit()');
print ('</div></form>');
if ($roleid) {
print_simple_box_start("center");
include('assign.html');
print_simple_box_end();
}
print_footer($course);
?>
<form name="rolesform" action="manage.php" method="post">
<input type="hidden" name="roleid" value="<?php echo $roleid; ?>">
<input type="hidden" name="sesskey" value="<?php print (sesskey()); ?>">
<input type="hidden" name="action" value="<?php echo $action; ?>">
<br/>Role Name: <input type="text" name="name" value="<?php echo $role->name; ?>">
<br/>Role Description: <input type="text" name="description" value="<?php echo $role->description; ?>">
<input type="hidden" name="contextid" value="<?php echo $contextid; ?>">
<p>
<table>
<tr>
<td>Capability Name</td><td>Inherit</td><td>Allow</td><td>Prevent</td><td>Prohibit</td>
</tr>
<?php
// init these 2
$contextlevel = 0;
$component = '';
foreach ($capabilities as $capability) {
// prints a breaker if component or name or context level
if ($capability->component != $component or $capability->contextlevel != $contextlevel) {
echo ('<tr><td colspan="4"><b>'.get_component_string($capability->component, $capability->contextlevel).'</b></td></tr>');
}
// these 2 are used to see to group same mod/core capabilities together
$contextlevel = $capability->contextlevel;
$component = $capability->component;
// check the capability override for this cap, this role in this context
$SQL = "select * from {$CFG->prefix}role_capabilities where
roleid = $roleid and capability = '$capability->name' and contextid = $contextid";
$localoverride = get_record_sql($SQL);
if (isset($r_caps[$capability->name])) {
$isallow = $r_caps[$capability->name] > 0;
$isprevent = $r_caps[$capability->name] < 0 && $r_caps[$capability->name] > -500;
$isprohibit = $r_caps[$capability->name] <= -500;
} else {
$isallow = 0;
$isprevent = 0;
$isprohibit = 0;
}
?>
<tr>
<td><?php echo get_capability_string($capability->name); ?></td>
<td><INPUT TYPE=radio NAME="<?php echo $capability->name; ?>" VALUE="0" <?php if (!isset($localoverride->permission) || $localoverride->permission==0){ echo 'checked="checked"'; }?>></td>
<td><INPUT TYPE=radio NAME="<?php echo $capability->name; ?>" VALUE="1" <?php if (isset($localoverride->permission) && $localoverride->permission==1){ echo 'checked="checked"'; }?>></td>
<td ><INPUT TYPE=radio NAME="<?php echo $capability->name; ?>" VALUE="-1" <?php if (isset($localoverride->permission) && $localoverride->permission==-1){ echo 'checked="checked"'; }?>></td>
<td ><INPUT TYPE=radio NAME="<?php echo $capability->name; ?>" VALUE="-1000" <?php if (isset($localoverride->permission) && $localoverride->permission==-1000){ echo 'checked="checked"'; }?>></td>
</tr>
<?php } ?>
</table>
</p>
<br/><input type="submit" value="<?php print_string($action);?>">
</form>
<?php //$Id$
///dummy field names are used to help adding and dropping indexes. There's only 1 case now, in scorm_scoes_track
//testing
require_once('../../config.php');
require_login();
$roleid = optional_param('roleid', 0, PARAM_INT); // if set, we are editting a role
$action = optional_param('action', '', PARAM_ALPHA);
$name = optional_param('name', '', PARAM_ALPHA); // new role name
$description = optional_param('description', '', PARAM_NOTAGS); // new role desc
$confirm = optional_param('confirm', 0, PARAM_BOOL);
$sitecontext = get_context_instance(CONTEXT_SYSTEM, SITEID);
$contextid = $sitecontext->id;
if (!isadmin()) {
error('Only admins can access this page');
}
if (!$site = get_site()) {
redirect('index.php');
}
$stradministration = get_string('administration');
$strmanageroles = get_string('manageroles');
print_header("$site->shortname: $strmanageroles",
"$site->fullname",
"<a href=\"../index.php\">$stradministration</a> -> $strmanageroles");
// form processing, editting a role, adding a role or deleting a role
if ($action && confirm_sesskey()) {
switch ($action) {
case 'add':
$newrole = create_role($name, $description);
$ignore = array('roleid', 'sesskey', 'action', 'name', 'description', 'contextid');
$data = data_submitted();
foreach ($data as $capname => $value) {
if (in_array($capname, $ignore)) {
continue;
}
assign_capability($capname, $value, $newrole, $contextid);
}
break;
case 'edit':
$ignore = array('roleid', 'sesskey', 'action', 'name', 'description', 'contextid');
$data = data_submitted();
foreach ($data as $capname => $value) {
if (in_array($capname, $ignore)) {
continue;
}
// edit default caps
$SQL = "select * from {$CFG->prefix}role_capabilities where
roleid = $roleid and capability = '$capname' and contextid = $contextid";
$localoverride = get_record_sql($SQL);
if ($localoverride) { // update current overrides
if ($value == 0) { // inherit = delete
unassign_capability($capname, $roleid, $contextid);
} else {
$localoverride->permission = $value;
$localoverride->timemodified = time();
$localoverride->modifierid = $USER->id;
update_record('role_capabilities', $localoverride);
}
} else { // insert a record
assign_capability($capname, $value, $roleid, $contextid);
}
}
// update normal role settings
$role->id = $roleid;
$role->name = $name;
$role->description = $description;
update_record('role', $role);
break;
case 'delete':
if ($confirm) { // deletes a role
echo ('deleting...');
// check for depedencies
// delete all associated role-assignments?
delete_records('role', 'id', $roleid);
} else {
echo ('<form action="manage.php" method="POST">');
echo ('<input type="hidden" name="action" value="delete">');
echo ('<input type="hidden" name="roleid" value="'.$roleid.'">');
echo ('<input type="hidden" name="sesskey" value="'.sesskey().'">');
echo ('<input type="hidden" name="confirm" value="1">');
echo ('are you sure?');
echo ('<input type="submit" value="yes">');
print_footer($course);
exit;
// prints confirmation form
}
break;
/// add possible positioning switch here
default:
break;
}